Method and system for authentication over a public network using multiple out-of-band communications channels to send keys

ABSTRACT

A method includes sending an open request to a directory server for a first key, the first key being a trusted key wrapped in a public key. The open request includes an authentication request value that identifies the open request as a verified setup directory service, the public key, an email address and a specified out-of-band communication channel. The directory server sends a first reply after generating the first key, which first reply is sent directly back with a first half of the first key offset by a unique value and wrapped using the public key. The second reply is sent via email to the email address, which second reply includes a second half of the first key offset by the first half of the first key. The third reply is sent to the out-of-band channel, which third reply includes the unique value.

RELATED APPLICATIONS

This application claims priority to U.S. patent application Ser. No.13/430,253 filed Mar. 26, 2012 (now U.S. Pat. No. 8,649,520), whichissued Feb. 11, 2014 and is entitled “Method and System for Real-TimeTrust in a Public Network”, which application in turn claimed priorityto U.S. patent application Ser. No. 11/899,742 filed Sep. 6, 2007 (nowU.S. Pat. No. 8,144,875), which issued Mar. 27, 2012 and is entitled“Method and System for Establishing Real-Time Authenticated and SecuredCommunications Channels in a Public Network”, which application in turnclaimed the benefit of U.S. Provisional Application No. 60/842,595 filedSep. 6, 2006—all of which applications were filed by the same inventor.

This application also claims priority to U.S. patent application Ser.No. 11/899,741 filed Sep. 6, 2007 now U.S. Pat. No. 8,144,874 whichissued Mar. 27, 2012 and is entitled “Method for Obtaining Key for Usein Secure Communications Over a Network and Apparatus for ProvidingSame”, which claimed the benefit of U.S. Provisional Application No.60/842,595—all of which applications were filed by the same inventor.

U.S. patent application Ser. No. 13/430,253 is hereby incorporated byreference, including the drawings, as if repeated herein in itsentirety. U.S. patent application Ser. No. 11/899,741 is herebyincorporated by reference, including the drawings, as if repeated hereinin its entirety. U.S. patent application Ser. No. 11/899,742 is alsohereby incorporated by reference, including the drawings, as if repeatedherein in its entirety. U.S. Provisional Application No. 60/842,595 isalso hereby incorporated by reference, including the drawings, as ifrepeated herein in its entirety.

FIELD OF THE INVENTION

The present invention relates generally to systems and methods forconducting communications over networks, and more particularly to asystem and method for conducting communications securely over a publicnetwork or via any communication link.

BACKGROUND OF THE INVENTION

U.S. patent application Ser. No. 11/899,741 and U.S. patent applicationSer. No. 11/899,742 disclose an extension of Secure Sockets Layer (SSL)communications. The inventor terms this extension Secure Sockets LayereXtended (SSLX).

SSLX answers the question “Why isn't all Internet traffic secure, allthe time?” One process for Internet authentication and security is SSL,which is a static process based on Public Key mathematics that doesn'tallow for real time transmissions because of performance; so SSLX wasdeveloped to allow for real time processing of the SSLX-EA (EmbeddedAuthentication) methods such that the current SSL system is replaced byreal-time SSLX. This covers standard traffic from those asking forinformation of those serving information (the INTERnet).

But what about all of the inter-Internet traffic, such as when ashopping website combs various manufacturers for pricing information andserves that to an inquirer? How would all of that information begathered with the same authentication and security as when it iscollectively served through SSL (and/or SSLX)?

The present invention is therefore directed to the problem of developinga method and apparatus for providing inter-Internet traffic with secureauthentication.

SUMMARY OF THE INVENTION

The present invention solves this and other problems by developing thenext-generation of the Internet, where any and all suchcombined/sorted/integrated information can be delivered within the realtime of a request, across multiple information centers (the INTRAnet).This will enable Facebook and Twitter and AIM and email and VoIP and,well everything, to be combined into on-the-fly Real Time Trustcommunication from anywhere to everywhere: An Authentic and SecureCloud.

According to one aspect of the present invention, an exemplaryembodiment of a method for performing authenticated communication in apublic network includes certain steps by a directory server and a commondirectory server to generate by the common directory server a key foruse by the directory server in subsequent communications with anotherdirectory server having obtained a key in a similar manner. In thisexemplary embodiment, the directory server sends an open request to thecommon directory server for a key, which key comprises a trustedembedded authentication common directory service key wrapped in a publickey of a public-private key pair. The open request includes anauthentication request value that identifies the open request as averified setup directory server, the public key, an email address and aspecified third additional out-of-band communication channel. The commondirectory server sends a first reply of three replies after generatingthe key. The first reply is sent by the common directory server directlyback to the directory server with a first half of the key offset by aunique value and wrapped using the public key. The second reply of thethree replies is sent by the common directory server via email to theemail address. The second reply includes a second half of the key offsetby the first half of the key. The common directory server sends a thirdreply of the three replies to the specified third additional out-of-bandchannel, which third reply includes the unique value.

The exemplary embodiment of the aforementioned method may includecreating by the directory server the public-private key pair, whichincludes the public key and a private key.

The exemplary embodiment of the aforementioned method may includecombining the first half of the key and the second half of the key toform the key using the offset specified by the unique value.

The exemplary embodiment of the aforementioned method may includestoring the key in a predetermined location in the directory server.

The exemplary embodiment of the aforementioned method may includesending by the directory server a confirmation message wrapped in thefirst key to the common directory server.

The exemplary embodiment of the aforementioned method may includedecrypting by the common directory server the confirmation message usingthe key, which confirmation message includes a sent value.

The exemplary embodiment of the aforementioned method may includesending a denied message wrapped in the public key back to the directoryserver by the common directory server if the sent value does not equal avalue calculated by the common directory server using the first keyduring the decrypting.

The exemplary embodiment of the aforementioned method may includedecrypting by the directory server the denied message using the publickey and removing by the directory server the first key from thepredetermined location in the directory server.

The exemplary embodiment of the aforementioned method may include usingby the directory server the first key in all subsequent authenticationhandshakes through the common directory service with other directoryservers having keys obtained from the common directory server in asimilar manner.

In any of the exemplary embodiments herein, the specified thirdadditional out-of-band channel may include a telephone number to whichto send a computer generated voice message, a telephone number to whichto send a text message, an email address to which to send an electronicmessage, or any social media destination address such as a specificfacebook page or twitter account.

According to another aspect of the present invention, a method forperforming real-time authentication between a first directory server anda second directory server can be accomplished in the following manner,if the first directory server has obtained a first key from a commondirectory server and the second directory server has obtained a secondkey from the common directory server. The first directory server sends afirst request to the common directory server wrapped in the first key inan SSLX-EA communication to obtain a first directory server sessionmaster key to use in subsequent communication with the second directoryserver. The first request includes a first authentication request valuethat indicates to the common directory server with which one of aplurality of directory servers that the first directory server wishes tocommunicate. The first directory server session master key is generatedby the common directory server. The common directory server sends afirst of two replies after generating the first directory server sessionmaster key. The first reply is sent to the second directory server withthe first directory server session master key wrapped in an SSLX-EAmessage using the second key. The second reply of the two replies issent by the common directory server back to the first directory serverwith the first directory server session master key wrapped in an SSLX-EAmessage using the first key.

The exemplary embodiment of the aforementioned method may includewrapping all communications with the second directory server by thefirst directory server with the first directory server session masterkey in an SSLX-EA message.

The exemplary embodiment of the aforementioned method may includeunwrapping all communications from the first directory server by thesecond directory server using the first directory server session masterkey.

According to yet another aspect of the present invention, an exemplaryembodiment of a method for performing authenticated communication in apublic network can be performed in the following manner. A firstdirectory server sends a first open request to a common directory serverfor a first key. The first key comprises a trusted embeddedauthentication common directory service key wrapped in a first publickey of a first public-private key pair of the first directory server.The first open request includes a first authentication request valuethat identifies the first open request as a verified setup directoryservice, the first public key, a first email address and a firstspecified third additional out-of-band communication channel. The commondirectory server sends to the first directory server a first reply ofthree replies after generating the first key. The first reply is sentdirectly back to the first directory server with a first half of thefirst key offset by a first unique value and wrapped using the firstpublic key. The common directory server sends a second reply of thethree replies via email to the first email address. The second replyincludes a second half of the first key offset by the first half of thefirst key. The common directory server sends a third reply of the threereplies to the first specified third additional out-of-band channel. Thethird reply includes the first unique value. The first directory serverthen combines the first half of the first key and the second half of thefirst key to form the first key using an offset specified by the firstunique value. The first directory server sends a first confirmationmessage wrapped in the first key to the common directory server. Asecond directory server sends a second open request to the commondirectory server for a second key, which second key comprises a trustedembedded authentication common directory service key wrapped in a secondpublic key of a second public-private key pair of the second directoryserver. The second open request includes a second authentication requestvalue that identifies the second open request as a verified setupdirectory service, the second public key, a second email address and asecond specified third additional out-of-band communication channel. Thecommon directory server sends to the second directory server a firstreply of three replies after generating the second key, which firstreply is sent directly back to the second directory server with a firsthalf of the second key offset by a second unique value and wrapped usingthe second public key. The common directory server sends to the seconddirectory server a second reply of the three replies to the seconddirectory server via email to the second email address. The second replyto the second directory server includes a second half of the second keyoffset by the first half of the second key. The common directory serversends a third reply of the three replies to the second directory serverto the second specified third additional out-of-band channel. The thirdreply to the second directory server includes the second unique value.The second directory server combines the first half of the second keyand the second half of the second key to form the second key using anoffset specified by the second unique value. The second directory serversends a second confirmation message wrapped in the second key to thecommon directory server. Now, the first directory server sends a firstrequest to the common directory server wrapped in the first key in anSSLX-EA communication to obtain a first directory server session masterkey to use in subsequent communication with the second directory server.The first request includes a first authentication request value thatindicates to the common directory server with which one of a pluralityof directory servers that the first directory server wishes tocommunicate. The common directory server generates the first directoryserver session master key and sends a first of two replies aftergenerating the first directory server session master key. The firstreply is sent to the second directory server with the first directoryserver session master key wrapped in an SSLX-EA message using the secondkey a second reply of the two replies is sent back to the firstdirectory server with the first directory server session master keywrapped in an SSLX-EA message using the first key.

The exemplary embodiment of the aforementioned method may includewrapping all communications with the second directory server by thefirst directory server with the first directory server session masterkey in an SSLX-EA message.

The exemplary embodiment of the aforementioned method may includeunwrapping all communications from the first directory server by thesecond directory server using the first directory server session masterkey.

In any of the exemplary embodiments herein, the specified thirdadditional out-of-band channel may include a telephone number to whichto send a computer generated voice message, a telephone number to whichto send a text message, an email address to which to send an electronicmessage or any social media destination address such as a specificfacebook page or twitter account.

These and other features and advantages of the present invention willbecome more apparent from the following description of exemplaryembodiments thereof, as illustrated in the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a block diagram of a verified common directory servicesetup according to one aspect of the present invention.

FIG. 2 depicts a block diagram of a common directory serviceauthentication handshake according to another aspect of the presentinvention.

DETAILED DESCRIPTION

U.S. Pat. No. 8,144,875 (“the '874 patent”) and U.S. Pat. No. 8,144,875(“the '875 patent”) (both of which have been previously incorporated byreference in their entireties) disclose an SSLX process for the threemain ‘information centers’ and Internet software components: DirectoryService (DS), Website (Web Server) and End User (Browser). The '874 and'875 patents also disclose the methods for three specific communicationsthat in total accomplish SSLX: A Verified Setup (VSU) between bothBrowsers and Web Servers with a DS; Real-Time Handshake (AH) between aBrowser and a Web Server; and Normal Operation (secure routineany-direction communication) between the Browser and the Web Server.

In order to comprehensively extend SSLX within a cloud environment wherenumerous independent information centers will or may be a part of anyon-the-fly authentic and secure communications, this present inventiondiscloses exemplary embodiments of methods for DS to DS communicationsincluding those between the Common Directory Server (CDS) and any DS, aswell as definition of the methods for SSLX Public Authority (PA)information center communications between DS to PA, Webserver to PA andBrowser to PA. This completes the creation of a full Real Time Trustcapability for the Internet using the CDS as a public trusted 3^(rd)party authority for all SSLX authentic, secure and private Internetcommunications between any and all Directory Services, Web Servers andBrowsers, with oversight from the PA.

Communications

DS to DS communication requires the use of the Common DS in order tomaintain the integrity of the existing SSLX communications. The sameSSLX types of communications that exist among DS-Browser-Web Server areused in specialized format between a DS the CDS and another DS.

VSU-CDS

Operation

Referring to FIG. 1, the following describes an exemplary embodiment ofoperation of the Verified DS Set Up for any Directory Server to CommonDirectory Server. The DS first creates a public and private key pair,and sends an open request to the Common Directory Service (CDS) for atrusted SSLX-EA (Embedded Authentication) CDS Key (CDSK) to be wrappedin the public key (VD-DS1). This process is disclosed in detail in the'874 and '875 patents. The request has an Authentication Request (AR)value that identifies it as a VSU-DS (since a regular SSLX VSU can beperformed at the CDS operating as a regular DS).

The AR value is for a specialized combination of both public key andemail as well as a third additional out-of-band communication channel.The CDS will make three replies after generating the CDSK for thisDS—one directly back to the DS (Reply A) with the 1^(st) half of theCDSK offset by a 4-6 digit hexadecimal SSLX-EA PIN and wrapped using thesent public key (VD-CDS2). The second reply (Reply B) is in email to theemail address specified in the AR with the 2^(nd) half of the CDSKoffset by the 1^(st) half (VD-CDS3) and the third reply (Reply C) is toa phone, email, text or some other out-of-band channel specified in theAR with the SSLX-EA offset PIN (VD-CDS4).

The DS will allow input of the two halves of the CDSK, as well as theoffset PIN, and perform first a SSLX-EA offset adjustment of the 1^(st)half of the unwrapped public key half of the CDSK using the PIN, andthen use that 1^(st) half to perform a SSLX-EA offset adjustment to the2^(nd) half of the CDSK. After generating the entire CDSK, it will bestored in a specialized VSU-DS location. In order to finalize the CDSverification set up, a confirmation TCP message will be sent to the CDSwrapped in the new CDSK (VD-DS5). The CDS will use the CDSK to decryptthe confirmation message (VD-CDS6). If it is not confirmed, and the sentvalues don't equal the calculated values, then the CDS will send a“denied” message back to the DS wrapped in the public key (VD-CDS7). TheDS will then decrypt the denied message, and remove the CDS from theVSU-DS location (VD-DS8). In order to perform Real Time Trustcommunication through the CDS, the VSU-DS must be successfullyperformed.

After a successful VSU-DS, the DS will use the CDSK in AuthenticationHandshakes to other SSLX-supported DSs through the CDS.

CDS Authentication Handshake (AH-CDS)

Operation

Referring to FIG. 2, the following describes an exemplary embodiment ofan Authentication Handshake for Real Time Trust using the CommonDirectory Service. The CDS Authentication Handshake (AH-CDS) occurs whena DS (DS-A) wants to communicate w/another DS (DS-B). DS-A sends arequest to the CDS using its CDSK in an SSLX-EA communication to obtaina DS Session Master Key (DSMK) to use for SSLX communication w/DS-B(AC-DSA1). The request has a CDS Authentication Request value thatindicates to the CDS which DS with which it wishes to communicate. TheCDS will make two replies after generating the DSMK for this DS—one toDS-B with the DSMK for the session w/DS-A wrapped in an SSLX-EA messageusing its CDSK (AC-CDS2); and the other back to DS-A with the DSMKwrapped using its CDSK (AC-CDS3). DS-B will await the next communicationw/DS-A because DS-A initiated this requested session. DS-A will use anypre-established information exchange process w/DS-B, both of which willuse the Real Time Trust shared DSMK key for this session (AC-DSA4).

Normal Operation (Trusted)

Upon initially performing a VSU-CDS to register for INTRAnet Real TimeTrust across any public entity, then any DS information center canperform a CDS Authentication Handshake (AH-CDS) in real time requestingsecure communication with any other registered public DS and thencommunicate using the SSLX DSMK just as any SSLX entity communicatesusing mutual authentication and data security in trusted mode. Thespecifics of that communication are detailed in the existing patents.

Real Time Trust Public Verification Communication

For each and any entity in SSLX, they will be able to send an open HTTPrequest to any public SSLX DS, the CDS and the Public Authority (PA) forconnection information regarding any DS or the CDS. Any Browser, WebServer and/or DS will be able to publicly verify the current SSLXstanding (last VSU date, VSU types, etc.) and current connectioninformation (IP Address, public contact info, SMK or DSMK key life,etc.) of any DS or the CDS and their SSLX standing and information asheld by the CDS or PA. This completes the circle of Real Time Trust asoutlined in the original SSLX patents and reference architecture guide:any SSLX entity can verify any SSLX connection in real time.

What is claimed is:
 1. A non-transitory computer readable media haveencoded thereon instructions for a processor and memory to cause theprocessor in conjunction with the memory to perform a method forperforming real-time authentication between a first directory server anda second directory server, the first directory server having obtained afirst key from a common directory server and the second directory serverhaving obtained a second key from the common directory servercomprising: sending by the first directory server a first request to thecommon directory server wrapped in the first key in an SSLX-EAcommunication to obtain a first directory server session master key touse in subsequent communication with the second directory server,wherein the first request includes a first authentication request valuethat indicates to the common directory server with which one of aplurality of directory servers that the first directory server wishes tocommunicate; generating the first directory server session master key bythe common directory server; sending by the common directory server afirst of two replies after generating the first directory server sessionmaster key, wherein the first reply is sent to the second directoryserver with the first directory server session master key wrapped in anSSLX-EA message using the second key; sending a second reply of the tworeplies back to the first directory server with the first directoryserver session master key wrapped in an SSLX-EA message using the firstkey; sending by a first directory server a first open request to acommon directory server for a first key, said first key being a trustedembedded authentication common directory service key wrapped in a firstpublic key of a first public-private key pair of the first directoryserver, wherein the first open request includes a first authenticationrequest value that identifies the first open request as a verified setupdirectory service, the first public key, a first email address and afirst specified third additional out-of-band communication channel;sending to the first directory server by the common directory server afirst reply of three replies after generating the first key, said firstreply being sent directly back to the first directory server with afirst half of the first key offset by a first unique value and wrappedusing the first public key; sending a second reply of the three repliesvia email to the first email address, said second reply including asecond half of the first key offset by the first half of the first key;sending a third reply of the three replies to the first specified thirdadditional out-of-band channel, said third reply including the firstunique value; combining by the first directory server the first half ofthe first key and the second half of the first key to form the first keyusing an offset specified by the first unique value; sending by thefirst directory server a first confirmation message wrapped in the firstkey to the common directory server; sending by a second directory servera second open request to a common directory server for a second key,said second key being a trusted embedded authentication common directoryservice key wrapped in a second public key of a second public-privatekey pair of the second directory server, wherein the second open requestincludes a second authentication request value that identifies thesecond open request as a verified setup directory service, the secondpublic key, a second email address and a second specified thirdadditional out-of-band communication channel; sending to the seconddirectory server by the common directory server a first reply of threereplies after generating the second key, said first reply being sentdirectly back to the second directory server with a first half of thesecond key offset by a second unique value and wrapped using the secondpublic key; sending by the common directory server to the seconddirectory server a second reply of the three replies to the seconddirectory server via email to the second email address, said secondreply to the second directory server including a second half of thesecond key offset by the first half of the second key; sending a thirdreply of the three replies to the second directory server to the secondspecified third additional out-of-band channel, said third reply to thesecond directory server including the second unique value; combining bythe second directory server the first half of the second key and thesecond half of the second key to form the second key using an offsetspecified by the second unique value; sending by the second directoryserver a second confirmation message wrapped in the second key to thecommon directory server; sending by the first directory server a firstrequest to the common directory server wrapped in the first key in anSSLX-EA communication to obtain a first directory server session masterkey to use in subsequent communication with the second directory server,wherein the first request includes a first authentication request valuethat indicates to the common directory server with which one of aplurality of directory servers that the first directory server wishes tocommunicate; generating the first directory server session master key bythe common directory server; sending by the common directory server afirst of two replies after generating the first directory server sessionmaster key, wherein the first reply is sent to the second directoryserver with the first directory server session master key wrapped in anSSLX-EA message using the second key; and sending a second reply of thetwo replies back to the first directory server with the first directoryserver session master key wrapped in an SSLX-EA message using the firstkey.
 2. The non-transitory computer readable media according to claim 1,wherein the method further comprises: wrapping all communications withthe second directory server by the first directory server with the firstdirectory server session master key in an SSLX-EA message.
 3. Thenon-transitory computer readable media according to claim 2, wherein themethod further comprises: unwrapping all communications from the firstdirectory server by the second directory server using the firstdirectory server session master key.
 4. The non-transitory computerreadable media according to claim 1, wherein the first or secondspecified third additional out-of-band channel includes a telephonenumber to which to send a computer generated voice message.
 5. A methodfor performing real-time authentication between a first directory serverand a second directory server, the first directory server havingobtained a first key from a common directory server and the seconddirectory server having obtained a second key from the common directoryserver comprising: sending by the first directory server a first requestto the common directory server wrapped in the first key in an SSLX-EAcommunication to obtain a first directory server session master key touse in subsequent communication with the second directory server,wherein the first request includes a first authentication request valuethat indicates to the common directory server with which one of aplurality of directory servers that the first directory server wishes tocommunicate; generating the first directory server session master key bythe common directory server; sending by the common directory server afirst of two replies after generating the first directory server sessionmaster key, wherein the first reply is sent to the second directoryserver with the first directory server session master key wrapped in anSSLX-EA message using the second key; sending a second reply of the tworeplies back to the first directory server with the first directoryserver session master key wrapped in an SSLX-EA message using the firstkey; sending by a first directory server a first open request to acommon directory server for a first key, said first key being a trustedembedded authentication common directory service key wrapped in a firstpublic key of a first public-private key pair of the first directoryserver, wherein the first open request includes a first authenticationrequest value that identifies the first open request as a verified setupdirectory service, the first public key, a first email address and afirst specified third additional out-of-band communication channel;sending to the first directory server by the common directory server afirst reply of three replies after generating the first key, said firstreply being sent directly back to the first directory server with afirst half of the first key offset by a first unique value and wrappedusing the first public key; sending a second reply of the three repliesvia email to the first email address, said second reply including asecond half of the first key offset by the first half of the first key;sending a third reply of the three replies to the first specified thirdadditional out-of-band channel, said third reply including the firstunique value; combining by the first directory server the first half ofthe first key and the second half of the first key to form the first keyusing an offset specified by the first unique value; sending by thefirst directory server a first confirmation message wrapped in the firstkey to the common directory server; sending by a second directory servera second open request to a common directory server for a second key,said second key being a trusted embedded authentication common directoryservice key wrapped in a second public key of a second public-privatekey pair of the second directory server, wherein the second open requestincludes a second authentication request value that identifies thesecond open request as a verified setup directory service, the secondpublic key, a second email address and a second specified thirdadditional out-of-band communication channel; sending to the seconddirectory server by the common directory server a first reply of threereplies after generating the second key, said first reply being sentdirectly back to the second directory server with a first half of thesecond key offset by a second unique value and wrapped using the secondpublic key; sending by the common directory server to the seconddirectory server a second reply of the three replies to the seconddirectory server via email to the second email address, said secondreply to the second directory server including a second half of thesecond key offset by the first half of the second key; sending a thirdreply of the three replies to the second directory server to the secondspecified third additional out-of-band channel, said third reply to thesecond directory server including the second unique value; combining bythe second directory server the first half of the second key and thesecond half of the second key to form the second key using an offsetspecified by the second unique value; sending by the second directoryserver a second confirmation message wrapped in the second key to thecommon directory server; sending by the first directory server a firstrequest to the common directory server wrapped in the first key in anSSLX-EA communication to obtain a first directory server session masterkey to use in subsequent communication with the second directory server,wherein the first request includes a first authentication request valuethat indicates to the common directory server with which one of aplurality of directory servers that the first directory server wishes tocommunicate; generating the first directory server session master key bythe common directory server; sending by the common directory server afirst of two replies after generating the first directory server sessionmaster key, wherein the first reply is sent to the second directoryserver with the first directory server session master key wrapped in anSSLX-EA message using the second key; and sending a second reply of thetwo replies back to the first directory server with the first directoryserver session master key wrapped in an SSLX-EA message using the firstkey.
 6. The method according to claim 5, wherein the method furthercomprises: wrapping all communications with the second directory serverby the first directory server with the first directory server sessionmaster key in an SSLX-EA message.
 7. The method according to claim 6,wherein the method further comprises: unwrapping all communications fromthe first directory server by the second directory server using thefirst directory server session master key.
 8. The method according toclaim 5, wherein the first or second specified third additionalout-of-band channel includes a telephone number to which to send acomputer generated voice message.
 9. The method according to claim 5,wherein the method further comprises: wrapping all communications withthe second directory server by the first directory server with the firstdirectory server session master key.
 10. The method according to claim9, wherein the method further comprises: unwrapping all communicationsfrom the first directory server by the second directory server using thefirst directory server session master key.
 11. An apparatus forperforming real-time authentication comprising: a common directoryserver; a first directory server coupled to the common directory serverover a public network; and a second directory server coupled to thefirst directory server and the common directory server over the publicnetwork, the first directory server to obtain a first key from thecommon directory server and the second directory server to obtain asecond key from the common directory server, wherein: sending by thefirst directory server a first request to the common directory serverwrapped in the first key in an SSLX-EA communication to obtain a firstdirectory server session master key to use in subsequent communicationwith the second directory server, wherein the first request includes afirst authentication request value that indicates to the commondirectory server with which one of a plurality of directory servers thatthe first directory server wishes to communicate; generating the firstdirectory server session master key by the common directory server;sending by the common directory server a first of two replies aftergenerating the first directory server session master key, wherein thefirst reply is sent to the second directory server with the firstdirectory server session master key wrapped in an SSLX-EA message usingthe second key; sending a second reply of the two replies back to thefirst directory server with the first directory server session masterkey wrapped in an SSLX-EA message using the first key; sending by afirst directory server a first open request to a common directory serverfor a first key, said first key being a trusted embedded authenticationcommon directory service key wrapped in a first public key of a firstpublic-private key pair of the first directory server, wherein the firstopen request includes a first authentication request value thatidentifies the first open request as a verified setup directory service,the first public key, a first email address and a first specified thirdadditional out-of-band communication channel; sending to the firstdirectory server by the common directory server a first reply of threereplies after generating the first key, said first reply being sentdirectly back to the first directory server with a first half of thefirst key offset by a first unique value and wrapped using the firstpublic key; sending a second reply of the three replies via email to thefirst email address, said second reply including a second half of thefirst key offset by the first half of the first key; sending a thirdreply of the three replies to the first specified third additionalout-of-band channel, said third reply including the first unique value;combining by the first directory server the first half of the first keyand the second half of the first key to form the first key using anoffset specified by the first unique value; sending by the firstdirectory server a first confirmation message wrapped in the first keyto the common directory server; sending by a second directory server asecond open request to a common directory server for a second key, saidsecond key being a trusted embedded authentication common directoryservice key wrapped in a second public key of a second public-privatekey pair of the second directory server, wherein the second open requestincludes a second authentication request value that identifies thesecond open request as a verified setup directory service, the secondpublic key, a second email address and a second specified thirdadditional out-of-band communication channel; sending to the seconddirectory server by the common directory server a first reply of threereplies after generating the second key, said first reply being sentdirectly back to the second directory server with a first half of thesecond key offset by a second unique value and wrapped using the secondpublic key; sending by the common directory server to the seconddirectory server a second reply of the three replies to the seconddirectory server via email to the second email address, said secondreply to the second directory server including a second half of thesecond key offset by the first half of the second key; sending a thirdreply of the three replies to the second directory server to the secondspecified third additional out-of-band channel, said third reply to thesecond directory server including the second unique value; combining bythe second directory server the first half of the second key and thesecond half of the second key to form the second key using an offsetspecified by the second unique value; sending by the second directoryserver a second confirmation message wrapped in the second key to thecommon directory server; sending by the first directory server a firstrequest to the common directory server wrapped in the first key in anSSLX-EA communication to obtain a first directory server session masterkey to use in subsequent communication with the second directory server,wherein the first request includes a first authentication request valuethat indicates to the common directory server with which one of aplurality of directory servers that the first directory server wishes tocommunicate; generating the first directory server session master key bythe common directory server; sending by the common directory server afirst of two replies after generating the first directory server sessionmaster key, wherein the first reply is sent to the second directoryserver with the first directory server session master key wrapped in anSSLX-EA message using the second key; and sending a second reply of thetwo replies back to the first directory server with the first directoryserver session master key wrapped in an SSLX-EA message using the firstkey.
 12. The apparatus according to claim 11, further comprisingwrapping all communications with the second directory server by thefirst directory server with the first directory server session masterkey in an SSLX-EA message.
 13. The apparatus according to claim 12,further comprising: unwrapping all communications from the firstdirectory server by the second directory server using the firstdirectory server session master key.
 14. The apparatus according toclaim 11, wherein the first or second specified third additionalout-of-band channel includes a telephone number to which to send acomputer generated voice message.
 15. The apparatus according to claim11, further comprising: wrapping all communications with the seconddirectory server by the first directory server with the first directoryserver session master key.
 16. The method according to claim 15, furthercomprising: unwrapping all communications from the first directoryserver by the second directory server using the first directory serversession master key.
 17. The non-transitory computer readable mediaaccording to claim 1, wherein the method further comprises: wrapping allcommunications with the second directory server by the first directoryserver with the first directory server session master key.
 18. Thenon-transitory computer readable media according to claim 1, wherein themethod further comprises: unwrapping all communications from the firstdirectory server by the second directory server using the firstdirectory server session master key.